[MS-GPOD-Diff]: Group Policy Protocols Overview. Intellectual Property Rights Notice for Open Specifications Documentation

Transcription

1 [MS-GPOD-Diff]: This document provides an overview of the Protocol Family. It is intended for use in conjunction with the Microsoft Protocol Technical Documents, publicly available standard specifications, network programming art, and Microsoft Windows distributed systems concepts. It assumes that the reader is either familiar with the aforementioned material or has immediate access to it. A Protocol System Document does not require the use of Microsoft programming tools or programming environments in order to implement the Protocols in the System. Developers who have access to Microsoft programming tools and environments are free to take advantage of them. Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open Specifications documentation ( this documentation ) for protocols, file formats, data portability, computer languages, and standards as well as overviews of the interaction among each of these technologiessupport. Additionally, overview documents cover inter-protocol relationships and interactions. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you maycan make copies of it in order to develop implementations of the technologies that are described in the Open Specifications this documentation and maycan distribute portions of it in your implementations usingthat use these technologies or in your documentation as necessary to properly document the implementation. You maycan also distribute in your implementation, with or without modification, any schema, IDL'sschemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications. documentation. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that maymight cover your implementations of the technologies described in the Open Specifications. documentation. Neither this notice nor Microsoft's delivery of thethis documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specification mayspecifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in the Open Specificationsthis documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting iplg@microsoft.com. Trademarks. The names of companies and products contained in this documentation maymight be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit Fictitious Names. The example companies, organizations, products, domain names, addresses, logos, people, places, and events that are depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred. Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than as specifically described above, whether by implication, estoppel, or otherwise. Tools. The Open Specifications dodocumentation does not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access 1 / 89

2 to Microsoft programming tools and environments, you are free to take advantage of them. Certain Open Specifications documents are intended for use in conjunction with publicly available standardstandards specifications and network programming art, and assumes, as such, assume that the reader either is familiar with the aforementioned material or has immediate access to it. Abstract Provides an overview of the functionality and relationship of the protocols that implement Group Policy. The Group Policy protocols consist of a set of protocols that are used to create, read, update, and remove Group Policy Objects (section 1.1.3). The Group Policy protocols enable the Group Policy client to retrieve policy settings from a Group Policy server and enable an Administrative tool to retrieve, create, update, and delete policy settings on a Group Policy server. The base functionality of Group Policy, as described in [MS-GPOL], can be extended through client-side extensions that implement application-specific policy settings, and through Administrative tool extensions that implement authored configuration settings. These extensions to the Group Policy: Core Protocol [MS- GPOL] consist of the protocols specified in [MS-GPAC], [MS-GPDPC], [MS-GPEF], [MS-GPFAS], [MS- GPFR], [MS-GPIPSEC], [MS-GPNRPT], [MS-GPPREF], [MS-GPREG], [MS-GPSB], [MS-GPSCR], [MS- GPSI], and [MS-GPWL]. This document describes the intended functionality of the Group Policy protocols and how they interact with each other. It provides examples of some of the common use cases. It does not restate the processing rules and other details that are specific for each protocol. These details are described in the protocol specifications for each of the Group Policy protocols and data structures. 2 / 89

3 Revision Summary Date Revision History Revision Class Comments 9/23/ New Released new document. 12/16/ None No changes to the meaning, language, or formatting of the technical content. 3/30/ Major Updated and revised the technical content. 7/12/ None 10/25/ None 1/31/ None No changes to the meaning, language, or formatting of the technical content. No changes to the meaning, language, or formatting of the technical content. No changes to the meaning, language, or formatting of the technical content. 8/8/ Major Updated and revised the technical content. 11/14/ Major Updated and revised the technical content. 2/13/ None 5/15/ None No changes to the meaning, language, or formatting of the technical content. No changes to the meaning, language, or formatting of the technical content. 6/30/ Major Significantly changed the technical content. 10/169/24/ Major Significantly changed the technical content. 10/16/ None No changes to the meaning, language, or formatting of the technical content. 9/26/ Major Significantly changed the technical content. 3 / 89

4 Table of Contents 1 Introduction Conceptual Overview Group Policy Core Protocol Group Policy Settings Group Policy Objects Group Policy Extensions Group Policy Data Storage Group Policy Administration Group Policy Application Triggering Group Policy Application Discovering the Server and Applicable GPOs Retrieving GPO Attributes Retrieving and Applying Extension Settings Group Policy SOM Group Policy Management Group Policy Structure GPO Configuration Model Glossary References Functional Architecture Overview System Purpose Core Protocol Extensible Architecture Scriptable Policy Settings Group Policy Components Component Protocol Communications Component Functionality Component Tasks Group Policy Server Group Policy Client Group Policy Administrative Tool Group Policy Communication Process Details Protocol Communication Between a Group Policy Client and Group Policy Server Locating a Group Policy Server Domain SOM Search and Response Site SOM Search and Response GPO Search and Reply WMI Filter Processing Link Speed Determination Policy File Read Operation Protocol Communication Between the Administrative Tool and Group Policy Server Creating Group Policy Objects Creating the Active Directory Containers Creating the GPO File System Components Completing the GPO Configuration Editing Existing Policies Modifying Extension Settings Updating GPO Properties Updating SOM Deleting Group Policy Objects Transport Requirements / 89

5 2.1.4 Applicability Relevant Standards Protocol Summary Core Protocol Group Group Policy Extension Protocol Group Environment Dependencies on Group Policy Protocols Dependencies on Other Services Network Connectivity Underlying Protocols Persistent Data Storage Facilities Assumptions and Preconditions Use Cases Use Case Diagram Applying Group Policy Group Policy Client Administering Group Policy Administrative Tool Versioning, Capability Negotiation, and Extensibility System Versioning and Capability Negotiation Vendor-Extensible Fields Error Handling Failure Scenarios Connection Failure Internal Failures Operating System-Related Failures Failure in Client-Side Extensions Link Speed Determination Failure History Repository Errors Group Policy File Share Access Failure Group Policy Failures Related to Active Directory Replication Coherency Requirements Timers Nontimer Events Initialization and Re-Initialization Procedures Security Internal Security Data Store Permissions Timer and Network Events Computer Startup and Logon Events External Security Additional Considerations Examples Example 1: Processing Group Policy Events Example 2: Applying Policy on the Group Policy Client Example 3: Populating the Administrative Tool with Configuration Data Example 4: Authoring a New GPO Example 5: Administrative Tool Cannot Connect to a Group Policy Server Example 6: Querying Active Directory for Scope of Management and Version Information Example 7: Group Policy Client Cannot Connect to the Group Policy Server When Applying Policy Microsoft Implementations Product Behavior Change Tracking Index / 89

6 1 Introduction Organizations face increasingly complex challenges in managing their IT infrastructures. They must deliverare responsible for delivering and maintainmaintaining customized desktop configurations for many types of workers, including mobile users, information workers, and others that are assigned to strictly defined tasks, such as data entry. Changes to standard operating system images might be required on an ongoing basis. Security settings and updates must be delivered efficiently to all the computers and devices in the organization. New users have to be productive quickly without costly training. In the event of a computer failure or disaster, service must be restored with minimal data loss and interruption. Typically, IT departments must respond to various factors that require changes in the IT environment. These changes might consist of requirements such as the following: Installation of new operating systems and applications. Updates to operating systems and applications. Installation of new hardware. Configuration changes to support new business needs. Management of centralized control of resources. Configuration changes that enhance security. Addition of new users and computers in the domain. Group Policy enables IT departments to efficiently respond to requirements such as these, by providing the necessary framework to deliver computer configuration and policy setting changes that target specific computers and users. These policy settings are specified by a Group Policy administrator. 1.1 Conceptual Overview Group Policy provides the infrastructure to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within a directory service environment. Policy settings are administrative directives that define computer-wide and user-specific setting configurations. Administrators can define policy settings once and rely on Windows to enforce that policy. This section provides a conceptual overview of the major components and processes of the Group Policy protocols, which includes the following: Group Policy core protocol, section Group Policy settings, section Group Policy Objects, section Group Policy extensions, section Group Policy data storage, section Group Policy administration, section Group Policy application, section Group Policy SOM, section / 89

7 Group Policy management, section Group Policy structure, section GPO configuration modelmode, section Group Policy Core Protocol The Group Policy: Core Protocol [MS-GPOL] is a client/server protocol that enables a Group Policy client to discover and retrieve policy settings that are created by a Group Policy administrator (a domain administrator) and are stored as a Group Policy Object (GPO) in Active Directory ([MS- ADTS]). A Group Policy administrator creates policy settings to control Group Policy client behavior and capabilities. The Group Policy: Core Protocol then facilitates the communication of the administrator-defined policies from the Group Policy server to domain members such as a Group Policy client or a user who is interactively logged on to the Group Policy client computer. For example, a Group Policy administrator might want to target the firewall configuration of a group of client computers to open a specific port on each client computer. The Group Policy administrator can use the Group Policy protocols to create a policy setting that specifies the firewall configuration, and the Group Policy: Core Protocol enables it to be delivered to Group Policy clients. The Group Policy: Core Protocol has the followingtwo primary modes of operation: Policy administration: The policy administration mode is driven by the Group Policy administrator, where the Administrative tool is used to create or modify behavior and capability settings of computers and users. Policy application: The policy application mode is driven by the Group Policy client, where the Group Policy client retrieves administrator-specified behavior and capability settings from the Group Policy server, with the assistance of the Group Policy: Core Protocol. The Group Policy: Core Protocol of does not define policy settings. The Group Policy: Core Protocol is implemented by the core Group Policy engine, which issues the network requests that constitute the policy application sequence. The Group Policy: Core Protocol is the actual network traffic for the associated message sequences. Some of the major tasks that the core Group Policy engine handles on behalf of the Group Policy: Core Protocol are described as follows: Applying policy: The core Group Policy engine is responsible for the application of Group Policy at regular refresh intervals; this process is called background policy application. It also applies Group Policy each time that a Group Policy client computer starts or shuts down, or a user logs on or logs off the Group Policy client computer; this process is called foreground policy application. Locating GPOs: The core Group Policy engine locates GPOs from the appropriate domain, site, and organizational unit (OU) containers in Active Directory, by using the gplink attribute of a scope of management (SOM) container object (section 1.1.8) that specifies the distinguished names (DN) of applicable GPOs. Filtering and ordering GPOs: The core Group Policy engine determines whether the Group Policy administrator specified that certain GPOs should be filtered out or whether a GPO application order was configured. Invoking execution of CSEs under specified conditions: The core Group Policy engine can run client-side extensions (CSEs) under specific conditions, as configured in the registry. Maintaining CSE version numbers and history: The core Group Policy engine maintains a list of version numbers for CSEs and also keeps a registry-based history that records when a CSE last applied policy settings and whether that application was successful. 7 / 89

8 Calling CSEs: On determining that a CSE should be executed, the core Group Policy engine loads the CSE's dynamic link library (DLL) and accesses its execution entry point for execution. Providing notification of policy changes: Following policy application, the core Group Policy engine fires the PolicyChange event to indicate that a policy has changed. Applications can subscribe to this event and receive notification of policy application. Note The core Group Policy engine is installed on all Group Policy clients Group Policy Settings There are two types of policy settings, as follows: User policy settings: SpecifyThese specify capabilities and behaviors for interactively logged-on users. These settings can also affect different users who are logged on to the same computer. Examples of such settings include the user's default location for saving documents, or the desktop background image for a user. Some settings affect the users regardless of the computer that they log on to. For example, policy source mode, as described in [MS-GPOL] section , can override user policy settings by causing computer policy settings to be applied to the user. Computer policy settings: SpecifyThese specify capabilities and behaviors for individual computers, even when no users are logged on. Computer policy settings can also globally affect every user who logs on to the computer. Examples include policy settings that enable a computer to host a web server, schedule automated disk backups of the computer, or specify a standard web home page for all users of the computer. The Group Policy: Core Protocol enables Group Policy clients to discover and retrieve these policy settings. The policy settings that are applied to the Group Policy client depend on the filtered GPO list, which is derived and prioritized by the core Group Policy engine on the Group Policy client. The filtered GPO list is a set of GPOs that have passed various test criteria to verify whether they are permitted or denied applicability on the Group Policy client, as specified in [MS-GPOL] section The application of Group Policy settings to the Group Policy client is discussed further in section and an example with message sequences is provided in section Group Policy Objects Group Policy uses several protocols to create, read, update, and remove GPOs. Group Policy uses a document-centric approach to create, store, and associate policy settings. Group Policy settings are contained in GPOs to maintain various sets of behavior specifications. A GPO is a virtual object that stores policy-setting information with two components: Directory service: GPOs and their attributes are stored in a directory service, such as Active Directory.<1> File share: GPOs also store policy settings information on a local or remote file share, such as the Group Policy file share.<2> Both of these storage components can reside on the Group Policy server. Through the hierarchical modeling of Active Directory, GPOs can be linked to site, domain, and organizational unit (OU) containers to enable policy settings to be applied to target users and computers that are associated with these containers. This infrastructure provides a high degree of flexibility that enables the Group Policy administrator to customize configurations, such as delivering a specific piece of software to specialized users based on their membership in an OU. A GPO is uniquely identified by a globally unique identifier (GUID). GPO settings are evaluated by the Group Policy client through the hierarchical nature of Active Directory and by interpreting the 8 / 89

9 extension policy file data on the Group Policy file share. The processes for creating a GPO are described in section Group Policy Extensions Group Policy functionality can be enhanced through the implementation of Group Policy extensions. Group Policy extensions consist of client-side extensions (CSEs) and Administrative tool extensions. Most Group Policy extensions have these two extension implementation pairs; a CSE that applies policy settings, and an associated administrative-side extension that plugs into the Administrative tool to define policy settings. Group Policy extensions are invoked by the Administrative tool when creating or updating policy settings. Group Policy extensions are also invoked by the core Group Policy engine when applying policy on a policy target such as a Group Policy client. A few Group Policy extensions have only an administrative-side, as shown in the diagram of section and as described in section 2.2. In most cases, these Group Policy extensions depend on another CSE to perform client-side functions. For Group Policy extensions that implement both a client-side and administrative-side, the Extension list that is stored in a GPO specifies a list of GUID pairs. The first GUID of each pair is the CSE GUID, and the second GUID of each pair is an Administrative tool extension GUID. Extension lists are maintained by the gpcmachineextensionnames and gpcuserextensionnames attributes of a GPO. The gpcmachineextensionnames attribute contains Group Policy extension GUID pairs that apply to computer policy settings, and the gpcuserextensionnames attribute contains Group Policy extension GUID pairs that apply to user policy settings. CSEs and Administrative tool extensions function in the following manner: CSEs: Enable the application of explicit functionality to various subsystems on a Group Policy client. This is accomplished by implementing application-specific policy settings, such as the client security policies specified in [MS-GPSB], on Group Policy client computers. The CSEs that apply to a set of policy targets are designated by the Extension list of a GPO. Each CSE in the GPO Extension list is represented as a GUID that is associated with a CSE protocol, sometimes referred to as a client-side plug-in, residing on the Group Policy client computer. The GUID enables the core Group Policy engine on the Group Policy client to locate and invoke the CSE protocol, which in turn applies policy settings to the policy target. These settings are all defined by the GPO, which includes the extension policy files that reside on the Group Policy file share. CSE protocols depend on the execution of the core Group Policy engine on the Group Policy client for the following: To identify GPOs thatfor a CSE shouldto query to obtain the stored settings for that extension. To provide the message sequences for retrieving the CSE settings that are stored in the logical part of a GPO. To invoke a file access protocol to retrieve extension-related policy settings in the extension policy files on the Group Policy file share. Administrative tool extensions: Facilitate authoring and modification of specific administrative settings that are related to extended functionality, such as the security-based settings specified in [MS-GPIPSEC]. The Administrative tool extensions that apply to policy targets are designated by the Extension list of a GPO. Each Administrative tool extension in the GPO Extension list is represented as a GUID that is associated with an administrative-side extension protocol, sometimes referred to as an administrative plug-in. The plug-in resides on the computer that hosts the Administrative tool. This GUID enables the Administrative tool to locate the extension for administering the GPO settings that are related to that particular extension. Settings for such extensions, for example, those specified in [MS-GPSB], are 9 / 89

10 typically stored in Active Directory via the Lightweight Directory Access Protocol (LDAP) [RFC2251]] and in the Group Policy file share via a file access protocol. Administrative tool extension protocols depend on the Administrative tool for the following: To identify GPOs that the administrative-side extension shouldcan query to obtain the stored settings for that extension. To provide the message sequences for updating the administrative-side extension settings that are stored in the logical part of a GPO. To invoke a file access protocol to retrieve or store extension-related policy settings in the extension policy files on the Group Policy file share. Policy settings for a given class of extension functionality are communicated by a CSE protocol itself and not directly by the core Group Policy engine. The behavior of a given protocol extension is specified in the documentation for that extension. For example, the behavior of the Group Policy: IP Security (IPsec) Protocol is documented in [MS-GPIPSEC]. The extension protocols that are native to Group Policy are specified in section 2.2. However, vendors can extend the functionality of Group Policy by implementing custom Group Policy extensions, as described in [MS-GPOL] section Group Policy Data Storage The Group Policy protocols read and write policy information to and from the Group Policy data store, which contains the following components: Active Directory data store: This store is part of AD DS implemented on the Group Policy server and serves as a repository for GPOs. GPOs are maintained in Active Directory as type grouppolicycontainer objects within a Group Policy Objects container and are accessed via LDAP calls. A GPO maintains policy configuration settings that apply to policy targets, such as a user that is interactively logged on to a Group Policy client. Some policy configuration settings that are stored in GPOs can be regarded as Group Policy metadata because this information (section ), embedded in the attributes of Active Directory objects, is used to identify Group Policy configurations such as SOM, extension applicability, and the policy file location, rather than the actual policy settings that are applied to Group Policy clients. For example, a GPO contains attributes that specify a user extension list and computer extension list that are specific to that particular GPO configuration. These lists specify the extension protocols that apply to target users and computers, for which the GPO is configured. The actual settings for these extensions are stored in the Group Policy file share and comprise the actual policy settings that CSEs apply on the Group Policy client. However, it is a GPO attribute in Active Directory that holds the pointer to the file share location where the CSE policy settings reside. Group Policy file share data store: This store persists user and computer policy settings and also maintains a file that specifies GPO version information. If a GPO has registry settings, the Group Policy file share data store will contain the file registry.pol, which stores the registry settings that are generated by configuring Administrative template items with a management tool such as the Group Policy Management Console (GPMC). The Group Policy file share store can exist locally on the Group Policy server or remotely on a file share, where policy data is retrieved via a file access protocol.<3> Policy settings for Group Policy extensions are persisted in extension policy files on the Group Policy file share and/or in a GPO. These settings are retrieved for the application of extension policy settings on the Group Policy client. For more information about how extension settings are applied to a Group Policy client, refer to section / 89

11 1.1.6 Group Policy Administration Group Policy administration consists of creating new GPOs, deleting GPOs, and editing existing policy settings, as described in section In policy administration mode, the Group Policy administrator uses the Administrative tool to locate the Group Policy server and interact with the same Active Directory objects as occurs during policy application by the Group Policy client. However, the Administrative tool does not directly apply policy settings to the Group Policy client. Instead, it only enables the Group Policy administrator to create, update, or delete policy settings, and then update the Group Policy server with those configurations via LDAP. Thereafter, following a Group Policy trigger, the Group Policy client accesses those updated or new objects and associated settings during the policy application process. Policy administration also applies to modifying and authoring Group Policy extension settings, in addition to authoring Administrative template settings: Modifying extension settings: GPOs that contain classes of settings for a specific Administrative tool extension are identified by an Administrative tool extension GUID, which is used to invoke the extension protocol that can retrieve the associated settings from a GPO for updating. The retrieval process is facilitated by the Administrative tool, which invokes LDAP and a file access protocol to access the settings. After extension settings are edited, the Administrative tool sends an LDAP modifyrequest to update the logical component of a GPO and a file access open/write request to update the Group Policy file share location where the extension policy files reside. Authoring extension settings: When authoring new extension settings for a new GPO, the Group Policy administrator must first createcreates the new GPO by following the processes described in section Thereafter, the Group Policy administrator can use the Administrative tool to author settings for an Administrative tool extension. When this occurs, the Administrative tool sends an LDAP addrequest to Active Directory to write the Administrative tool extension GUID and client-side extension GUID (CSE GUID) to the Extension lists of the GPO. These attributes enable the Group Policy client to determine which Group Policy extensions should apply their settings to apply to the Group Policy client during the policy application process. Configuring administrative template settings: Policy administration includes the configuration of Administrative template settings that are accessible from a management tool such as the GPMC. The Administrative template policy configurations generate registry settings that are stored in the file registry.pol, which is located on the Group Policy file share. During policy application, this file is read by the Group Policy: Registry Extension Encoding protocol [MS- GPREG], and its settings are applied to the Group Policy client registry Group Policy Application The policy application process utilizes a pull model when it retrieves Group Policy data to apply to the Group Policy client. For example, when retrieving policy settings, the Group Policy client polls the Group Policy server to check for new policy settings specified by the Group Policy administrator that affect either the client computer itself or a domain user that is interactively logged on to the client computer. To accommodate these requirements, the application of Group Policy is specified in two modes. The first is computer policy mode, which affects the client computer and all users logging on to the client computer; the second is user policy mode, which only affects the users who log on to the client computer. For user policy mode, the policy target is a domain user account, for which policy settings are retrieved. For computer policy mode, the policy target is a domain computer account, for which policy settings are retrieved. The application of Group Policy is triggered by specific events, such as a user logon or computer startup, as described in section The following is a conceptual summary of the processes that occur whenever Group Policy is applied. The specified actions of the Group Policy client are carried out by the core Group Policy engine running on the Group Policy client: 11 / 89

12 DC discovery: The Group Policy client searches for a domain controller (DC) and connects to Active Directory. The communication details for this process are described in section DN discovery: The Group Policy client attempts to discover the DN of the policy target, which is used in querying for applicable GPOs, as described in [MS-GPOL] section Domain SOM search: The Group Policy client queries the Group Policy server for any GPOs that are linked to the domain, which therefore applies to the Group Policy client policy target account. The communication details for this process are described in section SOM defines hierarchical levels from which GPOs apply to policy targets; these levels include the domain, site, and organizational unit (OU) levels. For example, a domain SOM search returns the DNs of all GPOs that are linked to the domain container, which holds one or more policy targets to which the GPOs applies. For more information about SOM, refer to section Site SOM search: The Group Policy client queries the Group Policy server for any GPOs that are linked to the site container, which therefore applies to the Group Policy client policy target account. The communication details for this process are described in section GPO search: The Group Policy client queries the collection of GPOs defined by the SOM, to obtain various information sets that include the GPO security descriptor, the GPO file system path, GPO version number, the GUIDs of extensions that apply to the Group Policy client, and other GPO metadata, as described in section Communication details for this process are described in section GPO filter evaluation: The Group Policy client processes each GPO to check its functionality version, disabled/enabled status, empty status, and security rights. These checks determine whether the GPO is allowed or denied applicability on the Group Policy client, as described in [MS-GPOL] section WMI filter evaluation: The Group Policy client queries the Group Policy server for any Windows Management Instrumentation (WMI) filters that limit the set of GPOs that are to be used by Group Policy extensions. The communication details for this process are described in section Link speed discovery: The Group Policy client attempts to estimate the network speed of its connection to the Group Policy server, as described in section Extension protocol sequences: The Group Policy client determines which CSEs apply to it for user policy mode and computer policy mode, and then invokes a protocol sequence that causes each CSE to apply its settings to the Group Policy client, as described in section Policy change event: The Group Policy client raises a local PolicyChange event at the end of policy application to indicate that a policy has changed, as described in section The programmatic details for these processes are specified in [MS-GPOL] section Formats for the messages that are associated with these processes are specified in [MS-GPOL] section Triggering Group Policy Application Certain events that occur trigger the application of Group Policy, at which time the core Group Policy engine is invoked to initiate the application process. The following events trigger the application of Group Policy in computer policy mode and user policy mode. Computer policy mode: The following events trigger the application of Group Policy to the Group Policy client computer: Computer startup Computer shutdown 12 / 89

13 Periodic refresh timer User policy mode: The following events trigger the application of Group Policy to the user on the Group Policy client computer: User logon User logoff Periodic refresh timer Note The periodic refresh timer can be superseded to apply Group Policy at any time, as described in section The application of Group Policy in either computer policy mode or user policy mode involves the application of both Administrative template settings and extension settings. However, before this can occur, it is necessary to discover the domain controller that contains the GPOs that apply to the policy targets, as described in the following sections Discovering the Server and Applicable GPOs Policy application starts with an initial discovery step by the Group Policy client to locate a domain controller, as described in [MS-ADOD] (section 3.1.1). This step is necessary to identify the domain controller that contains the Group Policy Objects container for the domain in which the Group Policy client resides. After locating a domain controller, the core Group Policy engine on the Group Policy client performs a set of LDAP queries to Active Directory on the Group Policy server. The initial queries determine which GPOs were assigned to the policy target accounts by the Group Policy administrator, which include the domain computer account and the account of the user logged on to the Group Policy client. The remaining queries assemble the logical GPO from its component parts, which include the components stored in Active Directory and in the file system (Group Policy file share), as described in sections and To discover the GPOs that apply to the policy target account, the initial queries perform a search on the Active Directory hierarchy containing the policy target accounts. This hierarchy typically contains a domain root container that has OU containers within it, which in turn contain domain account objects. GPOs can be associated with any of these containers, to define the scope of Group Policy applicability, and therefore apply to any domain accounts that exist within them. Essentially, the initial queries locate the Group Policy Objects container for the domain to discover the GPOs contained within it, along with the SOM container objects (domain, sites, and/or OUs) to which the GPOs are linked, so that a Resultant Set of Policy (RSoP) can be achieved on the Group Policy client Retrieving GPO Attributes By using information obtained from the initial queries, the Group Policy client uses another set of queries to assemble the logical GPO from its component parts that exist in Active Directory and on the Group Policy file share. These queries utilize LDAP to return GPO attributes that are associated with the policy target accounts, as follows: Extension list: Provides a list of GUIDs, contained within a GPO, that identify classes of settings (associated with extension protocols) to be applied to the Group Policy client. Filtering: Enables specified policy target accounts to be excluded from association with a GPO. GPO path directories: Provides the location of extension policy files and the GPO version information file (gpt.ini) stored on the Group Policy file share. 13 / 89

14 GPO security descriptor: Determines whether a GPO is allowed or denied, based on an access control entry (ACE) right that applies to the Active Directory security group in which the policy target account is a member. Precedence: Enables resolution of conflicts between settings of different GPOs. Version: Specifies the version of a GPO, for use in determining whether a policy target requires updating. By using the GPO path directory information, the core Group Policy engine on the Group Policy client invokes a file access protocol to query the Group Policy file share to locate the file that contains the GPO version information and the directories that contains the extension policy files. The Group Policy client uses all of the previous information to compute a list of the GPOs that apply to it, along with the GUIDs that identify the extensions whose settings are to be applied in the next and final steps of policy application Retrieving and Applying Extension Settings The last steps of policy application involve the retrieval and application of extension settings. The Group Policy client uses its computed list of GPOs with different classes of settings to begin the process. For each class of settings in the list, the Group Policy client uses a CSE GUID to identify a CSE (a Group Policy extension), such as the Group Policy: Registry Extension Encoding protocol [MS- GPREG]), that contains corresponding extension settings. The core Group Policy engine on the Group Policy client invokes a protocol sequence that uses the CSE GUID to locate the settings associated with the CSEs that are stored in the GPO on the Group Policy server. The CSE retrieves the associated settings that are stored in the GPO by using LDAP to access the Active Directory-based component of the GPO and by using a file access protocol to access the Group Policy file share-based component of the GPO. When the settings are successfully retrieved, the CSE on the Group Policy client interprets the settings and enforces the behaviors that they specify. The Group Policy client of itself cannot interpret and enforce settings because it does not recognize the internal details of the Group Policy extension. The following summary provides some additional context to the preceding discussion by further clarifying the retrieval and application of extension policy settings to a Group Policy client via a CSE protocol. Prior to the Group Policy trigger, the Group Policy administrator will have configured extension settings with the Administrative tool for a policy target. This creates an extension policy file, which is then associated with a GPO in Active Directory and stored on the Group Policy file share. For some extensions, settings are stored on the Group Policy file share and/or in the GPO itself. A Group Policy trigger causes the Group Policy client to invoke the core Group Policy engine to initiate the retrieval of attributes and policy settings from a GPO (or set of GPOs) that apply to the Group Policy client and that specify the applicable CSEs. The core Group Policy engine initiates an LDAP call that reads the GUID of the CSE protocol from a GPO that applies to the Group Policy client and then invokes the CSE protocol for policy application. The CSE protocol reads and parses the settings of the extension policy file on the Group Policy file share and/or reads the extension settings that are stored in the GPO itself, and then applies them to the appropriate Group Policy client. 14 / 89

15 1.1.8 Group Policy SOM The collection of GPOs that apply to a set of policy targets is considered the scope of management (SOM). SOM tells the core Group Policy engine which site-, domain-, or OU-level GPOs apply to a policy target. During policy application, the core Group Policy engine searches for GPOs in the Group Policy Objects container (section 1.1.9) in Active Directory and then determines the SOM by inquiring which site, domain, and OU containers the GPOs are linked to, along with the order of precedence in which they apply to the policy target. SOM is not an object itself but rather a construct that describes how Group Policy is applied to policy targets from Active Directory hierarchical levels by using GPOs. SOM associates GPOs with policy targets that exist within a site, domain, or OU container object, in accordance with the GPOs that are linked to such objects. This association is established, in order of GPO precedence, within a list of GPO DNs that is contained by the gplink attribute of the site, domain, or OU container object. For example, there might be GPOs at the domain and OU level that apply to a particular set of policy targets, and the order of precedence might be that the OU-level GPO overrides a GPO at the domainlevel in terms of certain policy settings that have priority. The GPO applicability and precedence configuration is resolved through various filtering evaluations that result in a final computed list of GPOs whose settings are applied to one or more policy targets. All SOM containers have to maintain the following attributes: SOM DN: The DN of the SOM container, such as a domain container. gplink: A directory string value for the gplink attribute of the SOM container. gpoptions: An integer value that is used to set the Group Policy inheritance configuration among hierarchical SOM containers. For more information, see [MS-GPOL] section SOM object type: Specifies the type of Active Directory container that the SOM represents; one of the following values is assigned to this attribute: GPLinkOrganizationalUnit: The SOM container object represents an OU. GPLinkDomain: The SOM container object represents a domain. GPLinkSite: The SOM container object represents a site. An Active Directory container comes into scope of management when one or more GPOs are linked to it Group Policy Management Group Policy can be managed from an interface such as the GPMC, a custom application, or a command-line tool. GPOs exist within a Group Policy Objects container in Active Directory, as shown in the following diagram, and can be managed by a Group Policy administrator: 15 / 89

16 Figure 1: GPO location in Active Directory The Group Policy administrator uses the Active Directory container objects for the domain as shown in the diagram to manage Group Policy. When Group Policy administrators need to manage GPOs, they can create a new GPO, delete a GPO, or edit an existing one. They can also manage policy settings via other default GPOs for the domain. The following default objects and containers can be accessed in a domain for management purposes: Domain Controllers container: A default container that is automatically created when a server is promoted to a domain controller. It is linked to the domain controller's OU and manages security settings for all domain controllers in a domain. WMI Filters container: A default container that is automatically created when a server is promoted to a domain controller. It holds WMI filter objects that the Group Policy administrator creates and that are linked to GPOs to exempt specific Group Policy clients from the extension policy settings that they hold. For information about evaluating WMI filters, refer to [MS-GPOL] section Group Policy Objects container: A default container that is automatically created when a server is promoted to a domain controller. It provides a hierarchical repository for GPOs that the Group Policy administrator creates with the use of the Administrative tool. For more information about how GPOs are created, refer to section / 89

17 Default Domain Controllers Policy: A default GPO that is automatically created and linked to the domain whenever a server is promoted to a domain controller. This GPO represents the default policy that is applied to all domain controllers in the Domain Controllers container. Default Domain Policy: A default GPO that is automatically created and linked to the domain whenever a server is promoted to a domain controller. It has the highest precedence of all GPOs linked to the domain, and it applies to all users and computers in the domain. The Default Domain Policy GPO is generally used to manage default account settings, although there are exceptions to this practice. For other areas of policy management, new GPOs shouldcan be created; however, some policy settings are best configured at the domain level, and there are no restrictions against doing so. Administrator-configured: A GPO that is created by the Group Policy administrator to generate custom Group Policy settings for policy targets such as a Group Policy client computer Group Policy Structure Group Policy structure is modeled after the Active Directory structure, in that it has both physical and logical components. At the core of Active Directory's physical architecture is an extensible storage engine that reads and writes information to the Active Directory data store. This engine makes use of the logical, object-based hierarchy that represents data store information. Group Policy structure is similar to that of Active Directory, because it maintains both a logical and physical representation of GPOs, as follows: Logical component: Consists of a Group Policy container object, which is stored in the Group Policy Objects container of Active Directory. The Group Policy container object contains attributes that specify basic GPO information, such as the following: GPO display name GPO path to the extension policy and Group Policy template (GPT) files. GPO version number GPO status Access control list (ACL) GUID-references to the CSEs that are to be invoked when the core Group Policy engine on the Group Policy client processes the GPO. When the Group Policy administrator creates a GPO, Active Directory creates a Group Policy container object for that GPO, as described in section This Group Policy container is a container object of the grouppolicycontainer class and is named with a GUID that identifies the GPO. The Group Policy container is stored under the CN=Policies,CN=System container within the domain. The Administrative tool and the Group Policy client locate this container according to its DN, which is the exact path to the Group Policy container object in the Active Directory data store. Physical component: Consists of the Group Policy file share component that stores GPT and Group Policy extension settings on a domain controller or other server. The physical component of a GPO is represented through a series of files containing Administrative template and extension policy settings that are stored on disk. These files contain numerous policy settings along with the state of these settings. These files are stored in Machine and User subdirectories along with the associated GPO version file gpt.ini, in the following path, which is also known as the GPO path: <dns domain name>\<group Policy file share-name>\<dns domain name>\policies\<guid>\. 17 / 89

18 Whenever the Group Policy administrator creates a new GPO, the <guid> folder in this path is automatically created and named with the GUID of the GPO. Within the <guid> folder are Machine and User subdirectories that contain extension policy settings and Administrative template configuration items. During policy administration, when the Group Policy administrator creates or modifies Group Policy extension or Administrative template settings, the Administrative tool locates the policy files according to the <guid> in the GPO path. During policy application, the Group Policy client locates the policy files in the same manner GPO Configuration Model The GPO configuration model accommodates settings for users and computers, and includes Software, Windows, and Administrative Templates settings for both user and computer configurations. Software settings enable the Group Policy administrator to specify software applications to be installed on Group Policy client computers; Windows settings hold the extension configurations; and Administrative Templates represents Group Policy client subsystems for which registry settings can be configured. Policy targets in Active Directory are individual user and computer accounts that exist within domain, site, or OU containers. Each site, domain, and OU has a gplink attribute that associates it with one or more Group Policy container objects, which represent GPOs in Active Directory. Each GPO contains various attributes that are associated with users and computers. This includes an attribute that specifies the GPO path to policy files that store user and computer policy settings. The file system component of a GPO itself is configured with directories that hold policy data for users and computers. Therefore, when the Group Policy administrator views a GPO in a management interface such as the GPMC, two different sets of configuration settings are provided, as shown in the diagram of section : User Configuration: Contains all information related to user policies that Group Policy clients retrieve during policy application in user policy mode, which includes data for the applicable CSEs. These CSEs store all server state for policy settings within the user configuration, in a format that is described in corresponding extension specifications. Computer Configuration: Contains all information related to computer policies that Group Policy clients retrieve during policy application in computer policy mode, which includes data for the applicable CSEs. These CSEs store all server state for policy settings within the computer configuration, in a format that is described in corresponding extension specifications. The logical component of each GPO contains a user extension list and a computer extension list that specifies the GUIDs of CSEs that apply to users and computers, respectively. The actual settings for these extensions are stored in the physical (file system) component of the GPO, as described in section The extension settings for the user and computer configuration are configurable from the Administrative tool. When the Group Policy administrator creates or modifies extension settings, they are sent to the Group Policy data store. For example, any modifications to GPO attributes are communicated to Active Directory on the Group Policy server via LDAP [RFC2251], while the actual extension policy settings are communicated to the Group Policy file share via a file access protocol, both of which protocols are invoked by the Administrative tool. 1.2 Glossary TheThis document uses the following terms are specific to this document: access control entry (ACE): An entry in an access control list (ACL) that contains a set of user rights and a security identifier (SID) that identifies a principal for whom the rights are allowed, denied, or audited. access control list (ACL): A list of access control entries (ACEs) that collectively describe the security rules for authorizing access to some resource; for example, an object or set of objects. 18 / 89

19 Active Directory: A general-purpose network directory service. Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. Importantly, user accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). [MS- ADTS] describes both forms. For more information, see [MS-AUTHSOD] section , Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS. Active Directory Domain Services (AD DS): A directory service (DS) implemented by a domain controller (DC). The DS provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. For more information, see [MS-AUTHSOD] section and [MS-ADTS]. For information about product versions, see [MS-ADTS] section 1. See also Active Directory. administrative template: A file associated with a Group Policy Object (GPO) that combines information on the syntax of registry-based policy settings with human-readable descriptions of the settings, as well as other information. Administrative templates: A series of Group Policy master templates that extend the Group Policy management functionalities that can be applied to a policy target such as a Group Policy client, the settings for which are accessible from a management interface such as the GPMC. The Administrative templates provide an extensive collection of policy settings for applications and operating system components, which are applied through registry modifications on Group Policy clients. For this reason, Administrative template policy settings are also referred to as registry-based policy. Administrative tool: An implementation-specific tool, such as the Group Policy Management Console, that allows administrators to read and write policy settings from and to a Group Policy Object (GPO) and policy files. The Group Policy Administrative tool uses the Extension list of a GPO to determine which Administrative tool extensions are required to read settings from and write settings to the logical and physical components of a GPO. Administrative tool extension: A Group Policy extension protocol that is identified by an Administrative tool extension GUID and invoked by a management entity such as the Group Policy Management Console. The Administrative tool extension enables the Group Policy administrator to administer policy settings associated with the specific context provided by the extension. Administrative tool extension GUID: A GUID that enables a specific Administrative tool extension to be associated with settings that are stored in a GPO on the Group Policy server for that particular extension. The GUID enables the Administrative tool to identify the extension protocol for which settings are to be administered. client-side extension (CSE): A Group Policy extension that resides locally on the Group Policy client and is identified by a client-side extension GUID (CSE GUID). client-side extension GUID (CSE GUID): A GUID that enables a specific client-side extension on the Group Policy client to be associated with policy data that is stored in the logical and physical components of a Group Policy Object (GPO) on the Group Policy server, for that particular extension. configuration naming context (config NC): A specific type of naming context (NC), or an instance of that type, that contains configuration information. In Active Directory, a single config NC is shared among all domain controllers (DCs) in the forest. A config NC cannot contain security principal objects. core Group Policy engine: The software entity that implements the Group Policy: Core Protocol [MS-GPOL]. The core Group Policy engine issues the message sequences that result in core 19 / 89

20 protocol network traffic during policy application on Group Policy clients. The engine handles functions on behalf of the core protocol such as the Group Policy refresh interval, GPO and policy file access, GPO filtering and ordering, and invoking transport protocols for retrieving and storing policy settings. directory: The database that stores information about objects such as users, groups, computers, printers, and the directory service that makes this information available to users and applications. directory service (DS): A service that stores and organizes information about a computer network's users and network shares, and that allows network administrators to manage users' access to the shares. See also Active Directory. distinguished name (DN): A name that uniquely identifies an object by using the relative distinguished name (RDN) for the object, and the names of container objects and domains that contain the object. The distinguished name (DN) identifies the object and its location in a tree. domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication (2) of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section and [MS-ADTS]. domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as Active Directory Domain Services (AD DS), the DC contains full NC replicas of the configuration naming context (config NC), schema naming context (schema NC), and one of the domain NCs in its forest. If the AD DS DC is a global catalog server (GC server), it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-AUTHSOD] section and [MS-ADTS]. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), several AD LDS DCs can run on one server. When Active Directory is operating as AD DS, only one AD DS DC can run on one server. However, several AD LDS DCs can coexist with one AD DS DC on one server. The AD LDS DC contains full NC replicas of the config NC and the schema NC in its forest. The domain controller is the server side of Authentication Protocol Domain Support [MS-APDS]. Domain Name System (DNS): A hierarchical, distributed database that contains mappings of domain names (1) to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database. domain naming context (domain NC): A partition of the directory that contains information about the domain and is replicated with other domain controllers (DCs) in the same domain. Encrypting File System (EFS): The name for the encryption capability of the NTFS file system. When a file is encrypted using EFS, a symmetric key known as the file encryption key (FEK) is generated and the contents of the file are encrypted with the FEK. For each user or data recovery agent (DRA) that is authorized to access the file, a copy of the FEK is encrypted with that user's or DRA's public key and is stored in the file's metadata. For more information about EFS, see [MSFT-EFS]. forest: One or more domains that share a common schema and trust each other transitively. An organization can have multiple forests. A forest establishes the security and administrative boundary for all the objects that reside within the domains that belong to the forest. In contrast, a domain establishes the administrative boundary for managing objects, such as 20 / 89

21 users, groups, and computers. In addition, each domain has individual security policies and trust relationships with other domains. globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID). Group Policy: A mechanism that allows the implementer to specify managed configurations for users and computers in an Active Directory service environment. Group Policy administrator: A domain administrator who is responsible for defining policy settings and managing the Group Policy infrastructure of a domain. Group Policy client: A client computer that receives and applies settings of a GPO. The Group Policy client can use client-side extensions to extend the functionality of the Group Policy protocols. Group Policy data store: A data store that consists of two types of stores. One is a physical (file system) data store on the Group Policy file share that contains policy settings (extension and administrative template data), which can be locally or remotely accessed depending on location. The other is a logical data store that is part of Active Directory and serves as a repository for GPOs that are accessible via Lightweight Directory Access Protocol (LDAP). Group Policy extension: A protocol that extends the functionality of Group Policy. Group Policy extensions consist of client-side extensions and Administrative tool extensions. They provide settings and other Group Policy information that can be read from and written to Group Policy data store components. Group Policy Extensions depend on the Group Policy: Core Protocol, via the core Group Policy engine, to identify GPOs containing a list of extensions that apply to a particular Group Policy client. Group Policy file share: A file system storage location that contains policy settings that include extension settings and Group Policy template settings for GPOs. The latter settings consist of security and registry settings, script files, and application installation information. Group Policy Management Console (GPMC): An implementation-specific Administrative tool that provides an integrated interface to create, view, and manage GPOs and policy settings in multiple forests, domains, and sites. Group Policy Object (GPO): A collection of administrator-defined specifications of the policy settings that can be applied to groups of computers in a domain. Each GPO includes two elements: an object that resides in the Active Directory for the domain, and a corresponding file system subdirectory that resides on the sysvol DFS share of the Group Policy server for the domain. Group Policy Object (GPO) GUID: A curly braced GUID string that uniquely identifies a Group Policy Object (GPO). Group Policy Object (GPO) path: A domain-based Distributed File System (DFS) path for a directory on the server that is accessible through the DFS/SMB protocols. This path will always be a Universal Naming Convention (UNC) path of the form: "\\<dns domain name>\sysvol\<dns domain name>\policies\<gpo guid>", where <dns domain name> is the DNS domain name of the domain and <gpo guid> is a Group Policy Object (GPO) GUID. Group Policy server: A server holding a database of Group Policy Objects (GPOs) that can be retrieved by other machines. The Group Policy server must be a domain controller (DC). 21 / 89

22 Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377]. NT LAN Manager (NTLM) Authentication Protocol: A protocol using a challenge-response mechanism for authentication (2) in which clients are able to verify their identities without sending a password to the server. It consists of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication). For more information, see [MS- NLMP]. organizational unit (OU): An Active Directory object contained within a domain, into which users, groups, computers, and other organizational units can be placed. An organizational unit provides a facility to classify and differentiate objects in a directory structure such as LDAP. policy application: The protocol exchange by which a client obtains all of the Group Policy Object (GPO) and thus all applicable Group Policy settings for a particular policy target from the server, as specified in [MS-GPOL]. Policy application can operate in two modes, user policy and computer policy. policy setting: A statement of the possible behaviors of an element of a domain member computer's behavior that can be configured by an administrator. policy target: A user or computer account for which policy settings can be obtained from a server in the same domain, as specified in [MS-GPOL]. For user policy mode, the policy target is a user account. For computer policy mode, the policy target is a computer account. PolicyChange: A local event that indicates that a policy has changed. print server: A machine that hosts the print system and all its different components. registry: A local system-defined database in which applications and system components store and retrieve configuration data. It is a hierarchical data store with lightly typed elements that are logically stored in tree format. Applications use the registry API to retrieve, modify, or delete registry data. The data stored in the registry varies according to the version of Windows. Resultant Set of Policy (RSoP): The cumulative effect of GPO inheritance and processing on an individual computer or a specific user. When the policy application process is initiated, the core Group Policy engine looks at local registry and WMI settings, and then the RSoP, to determine whether a policy target requires a Group Policy update. RSoP data is stored, along with WMI data, in a local WMI database. scope of management (SOM): An Active Directory site, domain, or organizational unit container. These containers contain user and computer accounts that can be managed through Group Policy. These SOMs are themselves associated with Group Policy Objects (GPOs), and the accounts within them are considered by the Group Policy Protocol [MS-GPOL] to inherit that association. Server Message Block (SMB): A protocol that is used to request file and print services from server systems over a network. The SMB protocol extends the CIFS protocol with additional security, file, and disk management support. For more information, see [CIFS] and [MS-SMB]. share: A resource offered by a Common Internet File System (CIFS) server for access by CIFS clients over the network. A share typically represents a directory tree and its included files (referred to commonly as a "disk share" or "file share") or a printer (a "print share"). If the information about the share is saved in persistent store (for example, Windows registry) and reloaded when a file server is restarted, then the share is referred to as a "sticky share". Some share names are reserved for specific functions and are referred to as special shares: IPC$, 22 / 89

23 reserved for interprocess communication, ADMIN$, reserved for remote administration, and A$, B$, C$ (and other local disk names followed by a dollar sign), assigned to local disk devices. site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects) an administrator can optimize both Active Directory access and Active Directory replication with respect to the physical network. When users log in, Active Directory clients find domain controllers (DCs) that are in the same site as the user, or near the same site if there is no DC in the site. See also Knowledge Consistency Checker (KCC). For more information, see [MS-ADTS]. system volume (SYSVOL): A shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain. UncPath: The location of a file in a network of computers, as specified in Universal Naming Convention (UNC) syntax. Windows Management Instrumentation (WMI): The Microsoft implementation of Common Information Model (CIM), as specified in [DMTF-DSP0004]. WMI allows an administrator to manage local and remote machines and models computer and network objects using an extension of the CIM standard. 1.3 References [MS-ADOD] Microsoft Corporation, "Active Directory Protocols Overview". [MS-ADTS] Microsoft Corporation, "Active Directory Technical Specification". [MS-AUTHSOD] Microsoft Corporation, "Authentication Services Protocols Overview". [MS-CERSOD] Microsoft Corporation, "Certificate Services Protocols Overview". [MS-ERREF] Microsoft Corporation, "Windows Error Codes". [MS-FASOD] Microsoft Corporation, "File Access Services Protocols Overview". [MS-GPAC] Microsoft Corporation, "Group Policy: Audit Configuration Extension". [MS-GPCAP] Microsoft Corporation, "Group Policy: Central Access Policies Protocol Extension". [MS-GPDPC] Microsoft Corporation, "Group Policy: Deployed Printer Connections Extension". [MS-GPEF] Microsoft Corporation, "Group Policy: Encrypting File System Extension". [MS-GPFAS] Microsoft Corporation, "Group Policy: Firewall and Advanced Security Data Structure". [MS-GPFR] Microsoft Corporation, "Group Policy: Folder Redirection Protocol Extension". [MS-GPIE] Microsoft Corporation, "Group Policy: Internet Explorer Maintenance Extension". [MS-GPIPSEC] Microsoft Corporation, "Group Policy: IP Security (IPsec) Protocol Extension". [MS-GPNAP] Microsoft Corporation, "Group Policy: Network Access Protection (NAP) Extension". [MS-GPNRPT] Microsoft Corporation, "Group Policy: Name Resolution Policy Table (NRPT) Data Extension". [MS-GPOL] Microsoft Corporation, "Group Policy: Core Protocol". [MS-GPPREF] Microsoft Corporation, "Group Policy: Preferences Extension Data Structure". 23 / 89

24 [MS-GPREG] Microsoft Corporation, "Group Policy: Registry Extension Encoding". [MS-GPSB] Microsoft Corporation, "Group Policy: Security Protocol Extension". [MS-GPSCR] Microsoft Corporation, "Group Policy: Scripts Extension Encoding". [MS-GPSI] Microsoft Corporation, "Group Policy: Software Installation Protocol Extension". [MS-GPWL] Microsoft Corporation, "Group Policy: Wireless/Wired Protocol Extension". [MS-KILE] Microsoft Corporation, "Kerberos Protocol Extensions". [MS-NLMP] Microsoft Corporation, "NT LAN Manager (NTLM) Authentication Protocol". [MS-NRPC] Microsoft Corporation, "Netlogon Remote Protocol". [MS-PRSOD] Microsoft Corporation, "Print Services Protocols Overview". [MS-SMB] Microsoft Corporation, "Server Message Block (SMB) Protocol". [MS-SPNG] Microsoft Corporation, "Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Extension". [MS-WMI] Microsoft Corporation, "Windows Management Instrumentation Remote Protocol". [MS-WSUSOD] Microsoft Corporation, "Windows Server Update Services Protocols Overview". [MS-WUSP] Microsoft Corporation, "Windows Update Services: Client-Server Protocol". [MSDN-GroupPolicy] Microsoft Corporation, "Group Policy API", [MSDN-RSATW7] Microsoft Corporation, "Remote Server Administration Tools for Windows 7", [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", STD 13, RFC 1034, November 1987, [RFC1035] Mockapetris, P., "Domain Names - Implementation and Specification", STD 13, RFC 1035, November 1987, [RFC2251] Wahl, M., Howes, T., and Kille, S., "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997, [RFC4120] Neuman, C., Yu, T., Hartman, S., and Raeburn, K., "The Kerberos Network Authentication Service (V5)", RFC 4120, July 2005, [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, September 1981, 24 / 89

25 2 Functional Architecture 2.1 Overview The Group Policy protocols enable a Group Policy administrator to maintain standard operating environments for specific groups of users. As policies, software, and environments change over time, administrators can use Group Policy to update an already-deployed operating environment. Group Policy can also enforce rules that restrict the programs that can be run on company computers. To manage such environments, Group Policy utilizes an architectural model that embraces a dual approach consisting of policy administration and policy application features. The policy administration feature makes use of an Administrative tool, Administrative tool extensions, a Group Policy data store (Group Policy data store) containing GPOs and data, and a Group Policy server that provides directory service-based access to Group Policy metadata (sections and ) and file access to policy settings. The policy application feature makes use of the Group Policy client, CSEs, and the Group Policy data store on the Group Policy server, from where the Group Policy client for the policy application process (section 1.1.7) obtains GPO metadata and policy settings. The following diagram shows the basic architecture of the Group Policy protocols. Note that the Administrative tool in this architecture is an implementation-specific interface that the Group Policy administrator uses to manage Group Policy. Figure 2: Group Policy architecture The main components of the Group Policy protocols are described in section Group Policy components are typically installed in a distributed environment. The following diagram shows a basic deployment of Group Policy components in a distributed environment that consists of three computers. 25 / 89

26 Figure 3: Group Policy distributed environment System Purpose System administrators are required to provide consistency among groups of computers and/or users, with respect to such things as OSoperating system versions, sets of applications, and the general user experience. Group Policy enables a remote administrator to ensure that groups of computers conform to standards, and that specific users are provided with a consistent experience regardless of the computer that they use. As the enabling technology in Windows, Group Policy allows programs and administrators to use Active Directory as an infrastructure to centralize network administration, centrally define management policy, and delegate administrative authority. Users, computers, devices, and resources are represented as objects in Active Directory. With Group Policy, administrators can target policy settings on everything from users and computers to individual objects throughout the Active Directory hierarchy. Group Policy depends on a domain-joined environment, as described in section 2.4. In this environment, the Group Policy protocols enable a Group Policy client to retrieve GPO metadata and policy settings from a Group Policy server, and it enables the Administrative tool to create, retrieve, update, and delete policy settings. The protocol thatgroup Policy: Core Protocol [MS-GPOL] provides the core functionality of Group Policy is the Group Policy: Core Protocol [MS-GPOL],, as described in section Group Policy functionality is extensible on both the client side (policy application) and the administrative side (policy administration) Core Protocol The Group Policy: Core Protocol [MS-GPOL] is the main Group Policy protocol. It is a client/server protocol that allows clients to discover and retrieve policy settings created by Group Policy administrators. Policy settings are the directives that Group Policy administrators employ to control client behavior. For example, a Group Policy administrator might want to configure every computer in a group of computers to open a specific firewall port. The administrator could use Group Policy to implement such a directive and communicate it to clients through the Group Policy: Core Protocol. Various extensions to the core protocol are also provided to enable more granular control over different aspects of client systemssection describes the Group Policy: Core Protocol in more detail. 26 / 89

27 Extensible Architecture Group Policy has an extensible architecture that consists of the Group Policy: Core Protocol and the extension protocols that are described in section 2.2. The Group Policy: Core Protocol is fully implemented by the core Group Policy engine. The core Group Policy engine provides the functionality that determines which policies apply to a policy target such as a Group Policy client, whereas an extension, based on the determined policy applicability, is responsible for the actual policy application. The core Group Policy engine itself does not apply actual policy settings to a Group Policy client; rather, it makes the LDAP or file access calls and extension invocations through which extension and Administrative template settings are applied. Note that failure of a particular protocol extension sequence does not cause policy application to fail. Failure simply means that Group Policy clients are not able to enforce settings that are associated with a specific extension or Administrative template configuration item Scriptable Policy Settings The Group Policy protocols apply policy settings to Group Policy clients when specific events occur, such as computer startup, computer shutdown, user logon, and user logoff, as described in section These events provide the Group Policy administrator with the opportunity to run scripts that apply additional policy configurations to the Group Policy client. These scripts can be stored on any server that contains a Group Policy file share, which includes the Group Policy server. Users and computers must be able to access this share. For more information about applying policy settings during the events mentioned in this section, see the documentation for the Group Policy: Scripts Extension Encoding protocol [MS-GPSCR] Group Policy Components The main components of the Group Policy protocols are described as follows: Administrative tool: An implementation-specific management entity, such as the GPMC, that enables a Group Policy administrator to create, modify, and delete GPOs and policy settings (Administrative templates and extension settings). The Administrative tool manages policy settings that are specific to the Group Policy client implementation. Policy settings and other Group Policy functions are managed through the following administrative tasks: Authoring or editing GPOs via write access to Active Directory to facilitate configuration of GPOs with specific policy directives or settings. Updating policy files on the Group Policy file share via file access write operations. Configuring core aspects of Group Policy, such as SOM and GPO precedence. The Administrative tool, along with its associated extensions, can be located and run on any computer that is a member of the domain, including the Group Policy server. Note All Group Policy server SKUs, and Group Policy clients with Remote Server Administration Tools [MSDN-RSATW7] installed, have the Administrative tool and extensions. Group Policy client: The client computer on which Group Policy settings are applied by invoking the core Group Policy engine and the CSEs. The Group Policy client communicates with Group Policy data store components, which includes the Active Directory and Group Policy file share data stores, via the Group Policy: Core Protocol [MS-GPOL], as implemented by the core Group Policy engine on the client computer. Group Policy Extensions: Consist of CSE and Administrative tool extension protocols that enhance the base functionality of Group Policy. Extension data is typically read from and written to Group Policy data store components. 27 / 89

28 Group Policy data store: Consists of an Active Directory data store that provides storage and access to GPOs containing Group Policy metadata. It also contains a Group Policy file share data store that serves as a file system repository for user and computer extension policy settings, GPO version information, and administrative template policy settings. The Group Policy administrative templates can be used to configure registry-based settings for a GPO, which can include security settings, script files for custom policy configurations, and software installation information. Administrative template settings are stored on the Group Policy file share; however, note that administrative templates are not a requirement for a GPO. Group Policy server: A domain controller that implements Active Directory, from which a Group Policy client retrieves GPO metadata via LDAP and policy settings via a file access protocol. Note The terms domain controller and Group Policy server are used interchangeably throughout this document. Although Group Policy extends Active Directory functionality to support Group Policy operations, Active Directory is not officially part of Group Policy. Implementers are free to choose Active Directory or any LDAP-accessed directory service with which Group Policy is compatible, to support Group Policy operations. However, for purposes of discussion herein, this document assumes that Active Directory is the LDAP-accessed directory service for Group Policy. Note The directory service that the implementer chooses MUSTare required to support forests. The following sections describe the Group Policy components and the interrelationships among their parts, consumers, and dependencies. In particular, the following communication and process functionalities of Group Policy are covered in the discussions, along with applicable standards: Protocol communications between components Relationships between internal components Communication architecture and message flows Policy application and administration processes Applicability and interoperability standards Component Protocol Communications The following diagram shows the Group Policy protocols along with the protocols that facilitate communication between components. 28 / 89

29 Figure 4: Group Policy component protocol communications Group Policy makes use of several protocols to facilitate communications among its components, as illustrated in the preceding diagram: Administrative Tool Communication Protocols The Administrative tool uses the following communication protocols: LDAP ([RFC2251]) and a file access protocol for accessing Group Policy data store components, which includes the Active Directory data store on the Group Policy server and the Group Policy file share data store. DNS, as described in [MS-ADOD] section 3.1.1, for locating a domain controller. Kerberos [MS-KILE] or NT LAN Manager (NTLM) Authentication Protocol [MS-NLMP], as described in [MS-SPNG], for authenticating to the Group Policy server. Group Policy: Core Protocol [MS-GPOL], for invoking and processing Administrative tool extensions via the Administrative tool. Group Policy Client Communication Protocols 29 / 89

30 The Group Policy client uses the following communication protocols: LDAP and a file access protocol, for accessing Group Policy data store components, which include the Active Directory data store on the Group Policy server and the Group Policy file share data store. DNS, as described in [MS-ADOD] section 3.1.1, for locating a domain controller. Kerberos [MS-KILE] or NTLM [MS-NLMP], as described in [MS-SPNG], for authenticating to the Group Policy server. Group Policy: Core Protocol, as described in [MS-GPOL], for invoking and processing CSEs via the core Group Policy engine. Group Policy Extension Communication Protocols The communication protocols that the Group Policy extensions use, which include Administrative tool extensions and CSEs, are as follows: LDAP and a file access protocol, for communicating with Active Directory and the Group Policy file share. In policy administration mode, Administrative tool extensions make direct writes against Active Directory via LDAP and against policy files via a file access protocol. In policy application mode, CSEs use LDAP and a file access protocol to query the Group Policy server and the Group Policy file share data store, respectively, for the retrieval and application of policy settings. Group Policy Server Communication Protocols The Group Policy server uses the following communication protocols: LDAP, when accepting access to GPOs in Active Directory. File access protocol, for accepting local access to user and computer policy files, that is, when the Group Policy file share data store is located on the Group Policy server. Note that the core Group Policy engine on the Group Policy client chooses the appropriate protocol to invoke whenever the Group Policy client requires access to Active Directory or the Group Policy file share. Likewise, the Administrative tool chooses the appropriate protocol to invoke when it needs access to Active Directory or the Group Policy file share. Group Policy Data Store Communication Protocols The Group Policy data store uses the following communication protocols: LDAP, when access is required for the storage and retrieval of GPOs in Active Directory. File access protocol, when access is required for updating and retrieving user and computer policy settings, and GPO version information, on the Group Policy file share. The protocols and services that enable communications between Group Policy components are described as follows: Authentication protocols: Authentication services, as described in [MS-AUTHSOD], are provided by NTLM, specified in [MS-NLMP], or Kerberos, as specified in [RFC4120] and [MS-KILE], to secure communications within the Group Policy protocols. These protocols also provides authentication services that support the client-to-server communication within and outside Group Policy. This includes the use of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Protocol Extensions, as described in [MS-SPNG], which facilitate a secure environment while negotiating which authentication protocol the Group Policy protocols will use: either NTLM [MS-NLMP] or Kerberos [RFC4120], as described in [MS-SPNG], section / 89

31 DNS Server: DNS, as specified in [RFC1034] and [RFC1035], is used by both the Group Policy client and the Administrative tool to discover the location of the Group Policy server. Internet Control Message Protocol (ICMP): In some instances, ICMP, as specified in [RFC792] is used by the Group Policy client to determine the network speed of the link to the domain controller, to ensure that bandwidth-intensive protocol extension sequences is sufficiently supported. See section for more information on link speed determination. Lightweight Directory Access Protocol: LDAP is invoked by the Group Policy: Core Protocol and may be invoked by Group Policy extensions to read and update various policy attributes stored in GPOs within the Active Directory hierarchy on the Group Policy server. File access protocol: A file access protocol is invoked to read and update policy files on the Group Policy file share and to transmit policy settings and other data between the Group Policy server and Group Policy client Component Functionality The following diagram shows the internal components and protocol connections for the Group Policy protocols. 31 / 89

32 Figure 5: Internal component functions The general functions of Group Policy components as follows: Core Group Policy engine: Coordinates the application and processing of Group Policy by handling tasks such as: Applying Group Policy at regular intervals Accessing GPOs and retrieving GPO extension lists from Active Directory. 32 / 89

33 Accessing policy settings on the Group Policy file share. Filtering and ordering GPOs Providing notification of Group Policy changes. Extension protocols: Consist of CSE and Administrative tool extension protocols that extend Group Policy application functionality. Note that implementers can create their own custom extension protocols, as described in [MS-GPOL], section 1.8. In the preceding diagram, the color-code scheme indicates that most Group Policy extension protocols implement both an administrative-side and a client-side extension. However, the Group Policy: Firewall and Advanced Security Data Structure defined in [MS-GPFAS], implements only an administrative-side extension. For additional information about administrative-side and client-side extensions, see sections and 2.2. Group Policy file share: An implementation-specific version of a file share location. The Group Policy file share location and its internal directory structure are shared with all Group Policy clients and can be replicated to other peers in a multimaster topology. Group Policy management: The Administrative tool provides facilities for locating, retrieving, creating, modifying, and deleting group policies. These management functions can be accomplished from an interface such as the GPMC, a custom application, or a command-line tool. Directory service: An implementation-specific version of an LDAP-accessible directory service, such as Active Directory, for the storage of GPOs Component Tasks The following diagram provides a high-level depiction of the major tasks performed by Group Policy components. The sections following the diagram provide details about the messaging and Group Policy component functions that enable these tasks to be carried out. 33 / 89

34 Figure 6: Group Policy communications architecture Group Policy Server The Group Policy server is a domain controller that implements Active Directory Domain Services (AD DS). The Group Policy server of itself has no knowledge of Group Policy. It is simply a server that provides storage for managed generic objects (GPOs) that are used to maintain policy information. The Group Policy server maintains state via two Group Policy data store components, which consist of the following: Active Directory data store: A hierarchical directory service that stores the logical component of GPOs that are accessible through LDAP. Group Policy file share data store: A domain-based file share that stores Group Policy extension and Group Policy template settings and is accessible through a file access protocol. Note that the Group Policy file share data store can be located on a remote file server or on the Group Policy server itself. These data stores are modified as a result of changes made when authoring or modifying policy settings with the Administrative tool. In addition, Group Policy clients use these repositories as readonly stores during the policy application process. For more information about the Group Policy server, including how GPOs are structured, see [MS- GPOL] section Group Policy Client The Group Policy client contains the core Group Policy engine and the CSEs that extend Group Policy. The CSEs that extend Group Policy are described in section / 89